Employees of a modern organization often have access to files including information concerning various significant business aspects of the organization. This information may include data on customers (or patients), contracts, deliveries, supplies, employees, manufacturing, or the like. Conventional security techniques typically scan data as it is leaving an endpoint system, and perform predetermined actions based on static data loss prevention (DLP) policies to prevent loss of sensitive information. In conventional security techniques, given a particular user, article of information and attempted user operation, the same predetermined actions will always be performed. This requires an administrator to decide, at the time that the security system is set up, whether to have highly restrictive DLP policies or less restrictive DLP policies. Highly restrictive policies make data safer at the cost of consuming large amounts of system resources and possibly preventing users from performing legitimate operations (causing false positives). Less restrictive policies use fewer resources and cause fewer false positives, but provide a less secure environment. Conventional security techniques are not able to dynamically change actions and DLP policies (e.g., to increase or decrease protection) based on user behavior.